W3C home > Mailing lists > Public > public-credentials@w3.org > December 2021

RE: Any Good use case of PAM (Privileged account Management) using Vcs

From: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
Date: Wed, 1 Dec 2021 16:42:27 +0000
To: "drummond.reed@evernym.com" <drummond.reed@evernym.com>, Bob Wyman <bob@wyman.us>
CC: sethi shivam <sethishivam27@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <MWHPR1301MB20944C5475B28C6BF4DB0F75C3689@MWHPR1301MB2094.namprd13.prod.outlook.com>
RE: "One should delegate rights, not credentials." Perfectly put, Bob.

It totally depends on what the credential represents …in general, you can’t make a blanket statement like the above.

Suppose, for example, the credentialSubject is an NFT (represented as an embedded VC). If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC.

Michael Herman
Founder
Trusted Digital Web

From: Drummond Reed <drummond.reed@evernym.com>
Sent: Sunday, November 7, 2021 7:41 PM
To: Bob Wyman <bob@wyman.us>
Cc: sethi shivam <sethishivam27@gmail.com>; W3C Credentials CG (Public List) <public-credentials@w3.org>
Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs

"One should delegate rights, not credentials." Perfectly put, Bob.

BTW, one can use a special class of VCs to delegate rights. There are several efforts to define such delegation models—see this discussion of Zcaps<https://kyledenhartog.com/comparing-VCs-with-zcaps/> from Kyle Den Hartog and the ToIP Authentic Chained Data Container<https://wiki.trustoverip.org/display/HOME/ACDC+%28Authentic+Chained+Data+Container%29+Task+Force> (ACDC) Task Force.

Best,

=Drummond

On Sun, Nov 7, 2021 at 11:17 AM Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>> wrote:
Sethi,
You asked: "I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) ."

Delegating the rights associated with a VC is sometimes quite reasonable and may be supported, however, delegating the right to use an existing VC should not be supported. In commonly understood terms, it might sometimes be reasonable for me to delegate to you the right to act on my behalf, but it is never reasonable to delegate to you the right to "be" me. If you take an action, based on rights which were originally delegated to me, the fact that it was you, not me, who acted, should be discoverable, even if I approve of your actions. A common example of this is when someone uses a "Power of Attorney," to sign a contract. When they do, they typically sign documents with their own names and an annotation "on behalf of," "for," or "by power of attorney," they don't forge the signature of the one who granted the power of attorney.

One should delegate rights, not credentials.

bob wyman


On Sat, Nov 6, 2021 at 7:48 PM sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>> wrote:
Hi Team ,

Is it possible that we can give our Vcs to someone for a particular period of time .

Like I am on vacation and I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) .

and my second question is :

Is there any good enterprise level use-case of managing Privileged accounts using Vcs .

I am just trying to explore PIM-PAM use cases with Vcs
PIM = Privileged Identity management

Today we have many tools like Cyberark , beyondTrust


Best Regards
Sethi Shivam
Received on Wednesday, 1 December 2021 16:42:44 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:25 UTC